Anyone who has been around the corporate data center for a couple of decades has probably grown accustomed to seeing separate disciplines and/or departments for data protection/disaster recovery planning and information security. Such a distinction has deep historical roots, but one must wonder whether it still makes any sense.

Data protection is part of disaster recovery planning (or business continuity planning if you prefer), which is a set of strategies and processes for preventing avoidable "disasters" (unplanned interruption events) and for minimizing the impact of disasters that cannot be prevented. Data protection is central to DR because, aside from personnel, data is a unique corporate asset that cannot be replaced. The only way to protect data is a strategy of redundancy: make a copy and store the copy sufficiently distant from the original so that the same disaster event cannot destroy both the original and the copy.

In addition to disaster avoidance and data protection, a good DR capability also includes provisions for application, network and user recoveries, plus processes for testing, training and change management. DMI provides a data protection/disaster recovery planning course and certification (Certified Data Protection Specialist or CDPS), by the way, if you are assigned the planning task and need some guidance.

Information security planning is very similar to DR planning. Structurally, it aims to protect mission critical business processes and data assets, but it uses a number of interlocking strategies that are unique to security.

Infosec has developed its own vocabulary and its own set of strategies for securing applications, networks and facility perimeter and endpoints, and of course, data assets. Then, these strategies are supplemented by processes for active monitoring and periodic review to ensure that security provisions are keeping data private.

There is usually very little communication between the DR folks and the Infosec folks, except when DR needs to be concerned about recovering data that may be encrypted, or gaining access to an application or set of infrastructure in an emergency that is otherwise locked down by security's access control systems. Conversely, the Infosec folks may only interact with the DR/data protection folks to ensure that continuous data protection capabilities are being deployed and leveraged to enable quick restore following a malware attack or a ransomware attack by "rewinding" data to a point before the attack occurred.

Both disciplines have much to learn from each other. DR, for example, has already flirted with nutty quantitative techniques for matching protection services to specific data given the threats to the organization, business unit, or infrastructure. These quantitative methods, Single Loss Expectancy and Annual Loss Expectancy, were silly on their face and have been mostly abandoned by DR planners today. The key problem with such techniques is that they require planners to have meaningful data regarding the probabilities of threat potentials being realized. We have over 100 years of hurricane tracking data, but no one knew for sure when or where a hurricane was going to strike the US mainland in 2017.

Security is moving down this path, at present. Attack surface reduction modeling techniques are the same sort of quasi-scientific quantitative-sounding methodologies as ALE and SLE in the DR world. Some view them as an improvement over the threat/cost modeling that was used by many Infosec practitioners in the 1990s, but not by much. Back then, we were told that the cost to protect should not be significantly greater than the cost to bad guys to circumvent the protection. Only, the relationship was assymetrical: the bad guys incurred little to no expense to test the security of their targets or to defeat the measures that were being taken to keep them out.

There is much more to this story, but DMI members who are interested should probably take the DMI workshop for Certified Data Security Specialists (CDSS) to get more information.

Bottom line: DR and Infosec should be working together going forward in all aspects of data protection planning. Moreiver, both DR and Infosec ought to be subsumed under the rubrick of cognitive data management in the future, since both data protection and data privacy/security are actually best delivered as services associated wtih data based on granular business-savvy policies.